Objective

Every individual’s right to request the protection of personal data about themselves is a sacred right arising from the Turkish Constitution. At OMWO TEKNOLOJİ A.Ş., we consider fulfilling the requirements of this right as one of our most valuable duties. We therefore attach importance to the processing and protection of your personal data in accordance with the law.

In line with the importance we attach to the protection of personal data, we have prepared the “Corporate Personal Data Protection Policy” to outline the principles and procedures we apply while processing and protecting personal data.

Scope

The Policy covers any actions concerning the data managed by OMWO TEKNOLOJİ A.Ş., such as the procurement, recording, storage, conservation, revision, re-arrangement, disclosure, transmission, takeover, attainability, or classification of personal data either partially or as a whole through automated or non-automated means, provided that such is part of any data filing system, or the prevention of its use.

The Policy applies to all personal data belonging to OMWO TEKNOLOJİ A.Ş.’ partners, officials, customers, employees, and its suppliers’ and third parties’ officials and employees. 

OMWO TEKNOLOJİ A.Ş. may amend the Policy to comply with the legislation and decisions of the Turkish Personal Data Protection Authority and to improve the protection of personal data. 

Definitions

Recipient Group: The category of natural or legal person to whom the controller transfers personal data. 

Explicit Consent: Consent that relates to a specific subject matter, is informed, and is expressed with free will.

Anonymization: Making it impossible for personal data to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data. 

Data Subject: The natural person whose personal data is processed.

Relevant User: Persons who process personal data within the controller’s organization or in accordance with authorization and instructions received from the controller, other than the person or entity responsible for the technical storage, protection, and backup of the data.

Destruction: The erasure, destruction, or anonymization of personal data. 

Law/the KVKK: Turkish Law No. 6698 on the Protection of Personal Data.

Recording Medium: Any data carrier on which personal data is processed, in whole or in part, automatically or non-automatically, provided that it is part of a data filing system.

Personal Data: Any information relating to an identified or identifiable natural person.

Data Inventory: The inventory drawn up by data controllers detailing the personal data processing activities they carry out depending on their business processes, the purposes and legal grounds for processing personal data, the relevant data categories, the recipient group and the data subject group, the maximum retention periods required for the purposes for which personal data is being processed, the personal data that will be transferred abroad, and the data security measures they will take. 

Processing of Personal Data: Any actions concerning the data, such as the procurement, recording, storage, conservation, revision, re-arrangement, disclosure, transmission, takeover, attainability, classification of personal data either partially or as a whole through automated, or non-automated means, provided that such is part of any data filing system, or the prevention of its use.

Committee: The Personal Data Protection Committee.

Authority: The Turkish Personal Data Protection Authority.

Sensitive Personal Data: Data on racial or ethnic origin, political opinion, beliefs, religion, sect or other persuasions, appearance and dress, membership in associations, foundations or trade unions, health, sex life, criminal convictions and security implications, and biometric and genetic data.

Periodic Destruction: Erasure, destruction, or anonymization that is carried out ex officio at recurring intervals as specified in the Personal Data Retention and Destruction Policy when all conditions for processing the personal data specified in the Law have ceased to exist.

Policy: The Personal Data Protection Policy.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authorization granted by the data controller. 

Data Controller: The natural or legal person who determines the purposes and means of processing the personal data and is responsible for the establishment and management of the data filing system. 

General Principles

OMWO TEKNOLOJİ A.Ş. shall, at the preparatory stage of each new workflow requiring the processing of personal data, check the compliance of the data to be processed with the following principles. Unsuitable workflows shall not be implemented. 

When OMWO TEKNOLOJİ A.Ş. processes personal data, it:

(I) complies with the law and acts in good faith.

(II) ensures that personal data is accurate and, where necessary, up to date.

(III) ensures that the purpose of processing is specific, clear, and legitimate.

(IV) checks that the processed data is related to the purpose of processing, is processed limited to the extent necessary, and is proportionate.

(V) retains the data only for as long as it is stipulated in the relevant legislation or necessary for the purpose of processing, and destroys the data when the purpose of processing is no longer valid. 

Tasks and responsibilities

A Personal Data Protection Commission has been established within OMWO TEKNOLOJİ A.Ş. to manage this Policy and other relevant personal data processing procedures, and to ensure enforcement of the Policy. The Commission consists of the General Director, the Head of Human Resources, and the Head of Administrative Affairs. OMWO TEKNOLOJİ A.Ş. also receives advisory assistance on the KVKK as required for compliance with Turkish Law No. 6698 on the Protection of Personal Data. If necessary, the Commission may invite the KVKK advisor to its meetings. 

The tasks and responsibilities of the Commission are listed below:

   • Ordinary meetings are held every 6 months. They may be convened on an extraordinary basis when circumstances require (e.g. in the event of a possible data breach).

   • The Commission discusses items that need to be changed/improved in the Policy. 

   • It determines what conditions can be met for the lawful processing and protection of personal data.

   • It determines what actions can be taken to raise awareness on the KVKK within the company and among business partners.

   • It identifies the risks that may arise in the processing and protection of personal data, and takes the necessary administrative and technical measures.

   • It liaises with the authority and maintains relationships.

   • It evaluates information requests from data subjects.

   • It follows periodic destruction processes.

   • It updates the data inventory.

The Commission also makes necessary assignments in order to conduct these processes.

Data security measures

OMWO TEKNOLOJİ A.Ş. shall take all necessary technical and administrative measures to ensure an adequate level of security to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, and (iii) ensure the retention of personal data. 

Technical measures

   • Network and application security are ensured.

   • Security measures are taken as part of the procurement, development, and maintenance of information technology systems.

   • Access logs are maintained on a regular basis.

   • Up-to-date anti-virus systems are used.

   • Firewalls are used.

   • Necessary security measures are taken for entering and exiting physical environments that contain personal data.

   • Physical environments containing personal data are secured against external risks (fire, flood, etc.).

   • Environments containing personal data are secured.

   • Personal data backups are made and the security of backup data is also ensured.

   • A user account management and authorization control system is implemented and monitored.

   • Logs are maintained without user intervention.

   • Systems are implemented to detect and prevent attacks.

   • Data is encrypted.

Administrative measures

   • Disciplinary rules are in place that include data protection provisions for employees.

   • Data security training and awareness sessions for employees are conducted at regular intervals.

   • Corporate policies on access, information security, use, storage, and destruction of information have been developed and have begun to be implemented.

   • Data masking measures are taken when necessary.  

   • Confidentiality agreements are in place.

   • An authorization matrix has been established for employees.

   • Authorizations belonging to employees who change roles or leave the company are revoked.

   • Signed contracts include data security provisions.

   • Personal data security policies and procedures have been established.

   • Any problems regarding the security of personal data are reported quickly.

   • Personal data security is monitored.

   • The recording of personal data is minimized as much as possible.

   • Internal audits are conducted and commissioned at regular intervals and/or on a random basis.

   • Existing risks and threats have been identified.

   • Protocols and procedures for the security of sensitive personal data have been established and implemented.

   • If sensitive personal data is to be sent via email, it is encrypted and sent via registered email or a company email account.

   • Data processing service providers are made aware of data security.

The data subject’s rights regarding personal data

The data subject may write to OMWO TEKNOLOJİ A.Ş. in order to: 

   • Find out if their personal data is being processed or not.

   • Request information regarding whether their personal data has been processed. 

   • Learn the purpose for which their personal data has been processed and whether it has been used for its intended purpose. 

   • Know the names of the third parties to whom their personal data has been transferred domestically or abroad. 

   • Request the rectification of errors to their personal data in the event of incomplete or inaccurate processing and to request that the action taken is communicated to the third parties to whom their personal data has been transferred. 

   • Request the erasure or destruction or anonymization of personal data when the reasons for it being processed cease to exist, even if the data has been processed in accordance with the provisions of the KVKK and other relevant provisions, and to request that the action taken in this context is communicated to the third parties to whom their personal data has been transferred. 

   • Object to any detrimental impact resulting from their data being analyzed solely by automated systems. 

   • Obtain compensation in the event of damages caused by the unlawful processing of their personal data. 

Notification of violations

OMWO TEKNOLOJİ A.Ş. employees shall notify the Commission of work, actions, or incidents that they believe violate the provisions of the KVKK and/or the Policy. The Commission shall meet as necessary after the violation notification and shall prepare an action plan for the violation. If the violation has occurred as a result of the unlawful acquisition of personal data by others, the Commission shall notify the data subject and the Committee within 72 hours under the Committee’s decision of 24.01.2019, numbered 2019/10.

Amendments

Amendments to the Policy shall be prepared by the Commission and submitted to the Board of Directors of OMWO TEKNOLOJİ A.Ş. for approval. The updated Policy may be emailed to staff or posted on the website.

Effective date

This version of the Policy was approved by the Board of Directors on 01.07.2022 and thereby became effective.